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NATIONAL FOREWORD 

This Indian Standard which is identical with ISO/IEC 10116 : 1997 'Information technology — Security 
techniques — Modes of operation for an n-blt block cipher' issued by the International Organization for 
Standardization ( ISO ) and International Electrotechnical Commission ( lEC ) jointly was adopted by the 
Bureau of Indian Standards on the recommendation of Information System Security Sectional Committee and 
approval of the Electronics and Telecommunication Division Council. 

The text of the ISO/IEC Standard has been approved as suitable for publication as Indian Standard without 
deviations. Certain conventions are, however, not identical to those used in Indian Standards. Attention is 
particularly drawn to the following: 

Wherever the words 'International Standard' appear referring to this standard, they should be read as 
'Indian Standard'. 



Indian Standard 
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INFORMATION TECHNOLOGY — SECURITY 

TECHNIQUES — MODES OF OPERATION FOR 

AN /7-BIT BLOCK CIPHER 



1 Scope 



This International Standard describes four modes of 
operation for an n-hxX block cipher. 

NOTE - Annex A (informative) contains comments on the 
properties of each mode. 

This International Standard establishes four defined modes of 
operation so that in applications of an n-bit block cipher (e.g. 
protection of data transmission, data storage, authentication) 
this International Standard will provide a useful reference for, 
for example, the specification of the mode of operation and 
the values of parameters (as appropriate). 



2 Definitions 

For the purposes of this International Standard, the following 
definitions apply. 

2.1 block chaining: The encipherment of information such 
that each block of ciphertext is cryptographically dependent 
upon the preceding ciphertext block. 

2.2 ciphertext: Data which has been transformed to hide its 
information content, 

2.3 cryptographic synchronization: The co-ordination of 
the encipherment and decipherment processes. 

2.4 decipherment: The reversal of a corresponding 
encipherment. 

2.5 encipherment: The (reversible) transformation of data 
by a cryptographic algorithm to produce ciphertext, i.e. to 
hide the data. 

2.6 feedback buffer (FB): Variable used to store input data 
for the encipherment process. At the starting point FB has the 
value ofSV, 

2J initializing value: Value used in defining the starting 
point of an encipherment process. 

2.8 key: A sequence of symbols that controls the operation 
of a cryptographic transformation (e.g. encipherment, 
decipherment) 

2.9 rt-bit block cipher: A block cipher with the property that 
plaintext blocks and ciphertext blocks are n bits in length. 

2.10 plaintext: Unenciphered information. 



2.11 starting variable (SV): Variable defining the starting 
point of the mode of operation. 

NOTE - The method of deriving the starting variable from the 
initializing value is not defined in this International Standard. It 
needs to be described in any application of the modes of operation. 



3 Notation 

3.1 encipherment: For the purposes of this International 
Standard the functional relation defined by the block cipher is 
written 



C - eK(P) 



where 



P is the plaintext block; 
C is the ciphertext block; 
K is the key. 

The expression eK is the operation of encipherment using the 
key a:. 

3.2 decipherment: The corresponding decipherment function 
is written 

P^dKfC) 

The expression dK is the operation of decipherment using the 
key/:. 

3.3 array of bits: A variable denoted by a capital letter, such 
as P and C above, represents a one-dimensional array of bits. 
For example, 

^ == (^1, 02, ..., aj and B = (bj, b2, ..., Z>J 

are arrays of m bits, numbered from / to m. All arrays of bits 
are written with the bit with index / in the leftmost position. 

3.4 addition modulo 2: The operation of addition, modulo 
2, also known as the "exclusive or" function, is shown by the 
symbol 0. The operation applied to arrays such as A and B is 
defined as 

A^B^(ai® bi, aj b2. ... am^bm) 

3.5 selection of bits: The operation of selecting the j 
leftmost bits of A to generate ay-bit array is written 

A -7 = (ai, a^ ... a) 

This operation is defined only when 1 <j<m where m is the 
number of bits in^. 

1 
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3.6 shift operation: A "shift fiinction" Sk is defined as 
follows: 

Given an m~b\t variable X and a ^-bit variable F where 
/ < A < m, the effect of a shift ftinction Sk(X\F) is to produce 
the m-bit variable 

Sic(X\F) = (xjtw, Xk^2> •.., x^f/,f2> -.fk) (k < m) 
Sk(X\F) = (fi,-fk) (k = m) 

The effect is to shift the bits of array X left by k places, 
discarding x/ ... Xjt and to place the array F in the rightmost k 
places of X When k ^ mihc effect is to totally replace A' by 
F, 

A special case of this function begins with the w-bit variable 
}{m) of successive "1" bits and shifts the variable F of k bits 
into it. 

The result is 

S,(I(m)\F) - (}, I ]Jjj2, ...JO (k < m) 

S,(l(m)\F)-(f,f2,^..J0 (k = m) 

where the w - ^ leftmost bits are " 1 ". 



4 Requirements 

For some of the described modes padding of the plaintext 
variables may be required. Padding techniques are not within 
the scope of this International Standard. 

For the Cipher Feedback (CFB) Mode of operation (see 
clause 7), three parameters r, j and k are defined. For the 
Output Feedback (OFB) Mode of operation (see clause 8), 
one parameter 7 is defined. When one of these modes of op- 
eration is used the same parameter value(s) need(s) to be 
chosen and used by all communicating parties. 



6 Cipher Block Chaining (CBC) Mode 

6.1 The variables employed for the CBC mode of 
encipherment are 

a) A sequence of ^ plaintext blocks P/, P2, ... Pq, each of/? 
bits. 

b) A key a:. 

c) A starting variable SK of « bits. 

d) A sequence of ^ ciphertext blocks Cj, C2, ..., C^, each of 
n bits. 

6.2 The CBC mode of encipherment is described as follows: 
Encipherment of the first plaintext block, 

Cj=eK(FjeSV) (3) 

subsequently, 

Q - eK(Fi e Ci.j) for / = 2, 3, .... q (4) 

This procedure is shown in the upper part of figure 1 , The 
starting variable SV is used in the generation of the first 
ciphertext output. Subsequently the ciphertext is added, 
modulo 2, to the next plaintext before encipherment. 

6.3 The CBC mode of decipherment is described as follows: 
Decipherment of the first ciphertext block, 

Pi=ciK(Cj)eSV (5) 

subsequently. 

Pi = dK(Ci) © Ci.i for / - 2, 3, ..., q (6) 

This procedure is shown in the lower part of figure 1. 



5 Electronic Codebook (ECB) Mode 

5. 1 The variables employed for the ECB mode of 
encipherment are 

a) A sequence of ^ plaintext blocks Pj, P2, ..., P(p each of « 
bits. 

b) Akey^. 

c) The resultant sequence of q ciphertext blocks C;, C2, ..., 
Q, each of rt bits. 



5.2 The ECB mode of encipherment is described as follows: 

d = eK(Pi) for i ^1, 2, ,..,q (I) 

5.3 The ECB mode of decipherment is described as follows: 

Pi = dK(Ci) for i^},2,...,q (2) 



7 Cipher Feedback (CFB) Mode 

7.1 Three parameters define a CFB mode of operation: 

- the size of feedback buffer, r, where n<r<2n 

- the size of feedback variable, k, where I<k<n 

- the size of plaintext variable,7, where I<j < k 

NOTES 

1 r - k may be smaller than n. Figure 2 shows the special 
case where r-k>n. 

2 lfr = n then this mode is compatible with the CFB Mode 
described in the previous edition of this International Standard. 

The variables employed for the CFB mode of operation are 

a) The input variables 

1) A sequence of ^ plaintext variables Pj, P2, ... Pq, each 
of 7 bits. 

2) A key/:. 

3) A starting variable SVofr bits. 
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b) The intermediate results 



1) A sequence ofq block cipher input blocks 
Xj, X2, .,., Xcf, each ofn bits. 

2) A sequence of ^ block cipher output blocks 
Yj, Y2, ..., y^, each oin bits. 

3) A sequence of ^ variables £7, E2, ..., £(,, each ofy bits. 

4) A sequence of ^-7 feedback variables 
Fa ^2, ..., F^y, each of A: bits. 

5) A sequence ofq-I feedback buffer contents 
FBj, FB2,^..^FBg.j^ each of r bits. 

c) The output variables, i.e. a sequence of q ciphertext 
variables Cj, C2, .., Q, each ofy bits. 

7.2 The feedback buffer FB is set to its initial value 

FBj-^SV (1) 

The operation of enciphering each plaintext variable employs 
following six steps: 



the following six steps: 



a) Xi^FB,-^n 

b) Use of block cipher, Y, = eK(Xi) 

c) Selection of leftmosty bits, Ei = K; -j 

d) Generation of ciphertext variable, Q = Pi © Ej 

e) Generation of feedback variable, F, = S,(I(k)\Ci) 

f) Shift function on FB, FB,,i = Sk(FB,\Fi) 



(9) 

(10) 

(11) 
(12) 
(13) 



These steps are repeated for / = 7, 2, ..., q, ending with 
equation (11) on the last cycle. The procedure is shown in the 
left side of figure 2. The leftmost^ bits of the output block Y 
of the block cipher are used to encipher the y-bit plaintext 
variable by modulo 2 addition. The remaining bits of Y are 
discarded. The plaintext and ciphertext variables have bits 
numbered from 7 toy. 

The ciphertext variable is augmented by placing k~j "1" bits 
in its leftmost bh positions to become the k-h\X feedback 
variable F. Then the bits of the feedback buffer FB are 
shifted left by k places and F is inserted in the rightmost k 
places, to produce the new value of the feedback buffer FB. 
In this shift operation, the leftmost k bits of FB are discarded. 
The new n leftmost bits of F5 are used as the next inputs of 
the encipherment process. 

7.3 The variables employed for decipherment are the same as 
those employed for encipherment. 



The feedback buffer FB is set to its initial value 



FBj-SV 



(14) 



The operation of deciphering each ciphertext variable 
employs the following six steps: 

a) Xi = FBi-n (15) 

b) Use of block cipher, F^-e^(X() (16) 

c) Selection of leftmost; bits, £/ = r/~y (17) 

d) Generation of plaintext variable, F> = Q £/ (18) 

e) Generation of feedback variable, F, = S,(I(k)\Ci) (19) 

f) Shift ftmction on FB, FBi^j = Sk(FBi\Fi) (20) 



These steps are repeated for i ^ I, 2, ..., q, ending with 
equation (18) on the last cycle. The procedure is shown in the 
right side of figure 2. The leftmost; bits of the output block Y 
of the block cipher are used to decipher the y-bit ciphertext 
variable by modulo 2 addition. The remaining bits of Y are 
discarded. The plaintext and ciphertext variables have bits 
numbered from 7 toy. 

The ciphertext variable is augmented by placing k-j "1" bits 
in its leftmost bit positions to become the ^-bit feedback 
variable F. Then the bits of the feedback buffer FB are 
shifted left by k places and F is inserted in the rightmost k 
places to produce the new value of FB. In this shift operation, 
the leftmost k bits of FB are discarded. The new n leftmost 
bits of FB are used as the next input X of the encipherment 
process. 

7.4 It is recommended that CFB should be used with equal 
values of y and k. In this recommended form (j = k) the 
equations (12) and (19) can be written 

F; == Ci (casej = k) 

8 Output Feedback (OFB) Mode 

8.1 The OFB mode of operation is defined by one parameter, 
i.e. the size of plaintext variabley where 7 <. y < n. 

The variables employed for the OFB mode of operation are 

a) The input variables 

1) A sequence of ^ plaintext variables Pj, P2, ..., Pq, 
each ofy bits, 

2) A key K. 

3) A starting variable SVofn bits. 

b) The intermediate results 

1) A sequence of ^ block cipher input blocks 
Xj, X2, ..., Xtf, each of « bits. 

2) A sequence of ^ block cipher output blocks 
Yj, Y2, ..., y^, each ofn bits. 

3) A sequence of ^ variables Ej, E2, .... F^, each ofy 
bits. 

c) The output variables, i.e. a sequence of ^ ciphertext 
variables Cy, Q, ..., C^, each ofy bits. 



8.2 The input block A" is set to its initial value 
Xi^SV 



(21) 



The operation of enciphering each plaintext variable employs 
the following four steps: 

a) Use of block cipher, r;-e^(Xj (22) 

b) Selection of leftmosty bits, F, - K/ ~y (23) 

c) Generation of ciphertext variable, d = F, © Fy (24) 

d) Feedback operation, X/+; = Yi (25) 

These steps are repeated for i = I, 2, ..., q, ending with 
equation (24) on the last cycle. The procedure is shown on 
the left side of figure 3. The result of each use of the block 
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cipher, which is y>, is used to feed back and become the next 
value of X, namely Xt^j . The leftmosty bits of 7/ are used to 
encipher the input variable. 

8,3 The variables employed for decipherment are the same as 
those employed for encipherment. The input block JT is set to 
its initial valued/ = SV. 

The operation of deciphering each ciphertext variable 
employs the following four steps: 



a) Use of block cipher, 7, = eK(Xi^ (26) 

b) Selection of leftmosty bits, £, = F/ -y (27) 

c) Generation of plaintext variable, Pi^Q® E, (28) 

d) Feedback operation, JG+y = y, (29) 

These steps are repeated for / = 1,2, ..., q, ending with 
equation (28) on the last cycle. The procedure is shown in the 
right side of figure 3. The values Xi and Yj are the same as 
those used for encipherment; only equation (28) is different. 
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Figure 1 - The cipher block chaining (CBC) mode of operation 
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Figure 2 - The cipher feedback (CFB) mode of operation 
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Annex A 

(informative) 

Properties of the modes of operation 



A.l Properties of the Electronic Codebook 
(ECB) mode of operation 

A.1.1 Environment 

Binary data exchanged between computers, or people, may 
have repetitions or commonly used sequences. In ECB mode, 
identical plaintext blocks produce (for the same key) identical 
ciphertext blocks. 

A. 1. 2 Properties 

Properties of the ECB mode are 

a) encipherment or decipherment of a block can be carried 
out independently of the other blocks; 

b) reordering of the ciphertext blocks will result in the 
corresponding reordering of the plaintext blocks; 

c) the same plaintext block always produces the same 
ciphertext block (for the same key) making it vulnerable to 
a "dictionary attack", where a dictionary is built up with 
corresponding plaintext and ciphertext blocks. 

The ECB mode is in general not recommended for messages 
longer than one block. The use of ECB may be specified in 
future International Standards for those special purposes 
where the repetition characteristic is acceptable or blocks 
have to be accessed individually. 

A, 1.3 Padding requirements 

Only multiples of n bits can be enciphered or deciphered. 
Other lengths need to be padded to a «-bit boundary. 

A.1.4 Error propagation 

In the ECB mode, one or more bit errors within a single 
ciphertext block will only affect the decipherment of the 
block in which the error(s) occur(s). Decipherment of a 
ciphertext block with one or more error bits will result in a 
50 % error probability of each plaintext bit in the 
corresponding plaintext block. 

A.1.5 Block boundaries 

If block boundaries are lost between encipherment and 
decipherment (e.g. due to a bit slip), synchronization between 
the encipherment and decipherment operations will be lost 
until the correct block boundaries are re-established. The 
result of all decipherment operations will be incorrect while 
the block boundaries are lost. 



A.2 Properties of the Cipher Block 
Chaining (CBC) mode of operation 

A.2.1 Environment 

The CBC mode produces the same ciphertext whenever the 
same plaintext is enciphered using the same key and starting 
variable. Users who are concerned about this characteristic 
need to adopt some ploy to change the start of the plaintext, 
the key, or the starting variable. One possibility is to 
incorporate a unique identifier (e.g. an incremented counter) 
at the beginning of each CBC message. Another, which may 
be used when enciphering records whose size should not be 
increased, is to use some value such as the starting variable 
which can be computed from the record without knowing its 
contents (e.g. its address in random access storage). 

A.2*2 Properties 

Properties of the CBC mode are 

a) the chaining operation makes the ciphertext blocks 
dependent on the current and all preceding plaintext blocks 
and therefore rearranging ciphertext blocks does not result 
in a rearranging of the corresponding plaintext blocks; 

b) the use of different SV values prevents the same 
plaintext enciphering to the same ciphertext, 

A.2.3 Padding requirements 

Only multiples of n bits can be enciphered or deciphered. 
Other lengtfis need to be padded to a «-bit boundary. If this is 
not acceptable, the last variable can be treated in a special 
way. Two examples of a special treatment are given below. 

A first possibility to treat an incomplete last variable (i.e. a 
variable Pq ofj < n bits where q should be greater than 1) is 
to encipher it hi OFB mode as described below: 



a) encipherment 

b) deciphennent 



(30) 



(31) 



However, this last variable is vulnerable to a "chosen 
plaintext attack" if the SV is not secret or if it is used more 
than once with the same key (see clause A.4). 



A second possibility is known as "ciphertext-stealing". 
Suppose that the last two plaintext variables axe Pef.j and P^, 
where Z'^/ is an w-bit block and f^ is a variable of J < n bits 
and q sljj)uld be greater than 1 . 

a) encipherment 

Let C^; be the ciphertext block derived from P^/ using the 
method described in 5.2, Then set 



C,^eK(Si(C,.!\P^) 



(32) 



The last two ciphertext variables are then Ct^^j - j and Q. 

b) decipherment 

Q needs to be deciphered first, resulting in the variable P^ 
and the right-most n-j bits of C^/ 



Si(C^i\P^^dK(C^ 



(33) 



The complete block C^; is now available and P^/ can be 
derived using the method described in 5.3. 

The two trailing ciphertext variables are deciphered in 
reverse order which makes this solution less suited for 
hardware implementations. 

A.2.4 Error propagation 

In the CBC mode, one or more bit errors within a single 
ciphertext block will affect the decipherment of two blocks 
(the block in which the error occurs and the succeeding 
block). An error in the i-th ciphertext block has the following 
effect on the resulting plaintext: the i-th plaintext block will 
have a 50 % error probability for each bit. The i+l-th 
plaintext block will have an error pattern equal to that in the 
i-th ciphertext block. If errors occur in a variable of less than 
n bits, error propagation depends on the chosen method of 
special treatment. In the first example the deciphered short 
block will have those bits in error that correspond directly to 
the ciphertext bits in error. 

A.2.5 Block boundaries 

If block boundaries are lost between encipherment and 
decipherment (e.g. due to a bit slip), synchronization between 
the encipherment and decipherment operations will be lost 
until the correct block boundaries are re-established. The 
result of all decipherment operations will be incorrect while 
the block boundaries are lost. 



A.3 Properties of the Cipher Feedback (CFB) 
mode of operation 

A.3.1 Environment 

The CFB mode produces the same ciphertext whenever the 
same plaintext is enciphered using the same key and starting 
variable. Users who are concerned about this characteristic 
need to adopt some ploy to change the start of the plaintext, 
the key, or the starting variable. One possibility is to 
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incorporate a imique identifier (e.g. an incremented counter) 
at the beginning of each CFB message. Another, which may 
be used when enciphering records whose size should not be 
increased, is to use some value such as the starting variable 
which can be computed from the record without knowing its 
contents (e.g. its address in random access storage). 

A.3.2 Properties 

Properties of the CFB mode are 

a) the chaining operation makes the ciphertext variables 
dependent on the current and all but a certain number of 
immediately preceding plaintext variables. This number 
depends on fte selection of r, A, and j (see figure 2). 
Therefore rearranging y-bit ciphertext variables does not 
result in a rearranging of the corresponding y-bit plaintext 
variables. 

b) the use of different SV values prevents the same 
plaintext enciphering to jBie same ciphertext; 

c) the encipherment and decipherment processes in the 
CFB mode both use the encipherment operation of the 
block cipher; 

d) the strength of the CFB mode depends on the size of it 
(maximal ify = k) and the relative sizes ofy, A, n and r; 

NOTE -j<k will result in an increased probability of repeating 
occurrences of values of the input blocks. Such repeated 
occurrences will reveal linear relations between plaintext bits. 

e) selection of a small value of y will require more cycles 
through the block cipher operation per unit of plaintext 
and thus cause greater processing overheads. 

f) selection of r > n + k enables the pipelining and the 
continuous operation of the block cipher. 

A.3.3 Padding requirements 

Only multiples of y bits can be enciphered or deciphered. 
Other lengths need to be padded to a y-bit boundary. 
However, frequently y will be chosen equal to such a size, 
that no padding will be required, e.g. j can be modified for 
the last portion of the plaintext. 

A3.4 £rror propagation 

In the CFB mode, errors in any y-bit unit of ciphertext will 
affect the decipherment of succeeding ciphertext until the bits 
in error have been shifted out of the CFB feedback buffer. An 
error in the i-th ciphertext variable has the following effect on 
the resulting plaintext: the i-th plaintext variable will have an 
error pattern equal to that in the i-th ciphertext variable. The 
succeeding plaintext variables will have a 50 % error 
probability for each bit until all incorrectly received bits have 
been shifted out of the feedback buffer. 

A.3.S Synchronization 

If y-bit boundaries are lost between encipherment and 
decipherment (e.g. due to a bit slip), cryptographic 
synchronization will be re-established r bits after y-bit 
boundaries are re-established. If a multiple of y bits are lost 
synchronization will be re-established automatically after r 
bits. 
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A.4 Properties of the Output Feedback (OFB) 
mode of operation 

A.4.1 Environment 

The OFB mode produces the same ciphertext whenever the 
same plaintext is enciphered using the same key and starting 
variable. Moreover, in the OFB mode the same key stream is 
produced when the same key and SV are used. Consequently, 
for security reasons a specific SV should be used only once 
for a given key. 

A.4,2 Properties 

Properties of the OFB mode are 

a) the absence of chaining makes the OFB more 
vulnerable to active attacks; 

b) the use of different SV values prevents the same 
plaintext enciphering to the same ciphertext, by 
producing different key streams; 

c) the encipherment and decipherment processes in the 
OFB mode both use the encipherment operation of the 
block cipher; 

d) the OFB mode does not depend on the plaintext to 
generate the key stream used to add modulo 2 to the 
plaintext; 

e) selection of a small value of y will require more cycles 
through the block cipher per unit of plaintext and thus 
cause greater processing overheads. 



A.4.3 Padding requirements 

Only multiples of y bits can be enciphered or deciphered. 
Other lengths need to be padded to a y'-bit boundary. 
However, frequently j will be chosen equal to such a size, 
that no padding will be required, e.g. j can be modified for 
the last portion of the plaintext. 

A.4.4 Error propagation 

The OFB mode does not extend ciphertext errors in the 
resultant plaintext output. Every bit in error in the ciphertext 
causes only one bit to be in error in the deciphered plaintext. 

A.4.5 Synchronization 

The OFB mode is not self-synchronizing. If the two 
operations of encipherment and decipherment get out of 
synchronism, the system needs to be re-initialized. Such a 
loss of synchronism might be caused by any number of 
inserted or lost ciphertext bits. 

Each re-initialization should use a value of 5 K different from 
the SV values used before with the same key. The reason for 
this is that an identical bit stream would be produced each 
time for the same parameters. This would be susceptible to a 
"known plaintext attack". 



8 



IS 15116 : 2002 
ISO/IEC 10116 : 1997 



Annex B 

(informative) 

Information about patents 



During the preparation of this International Standard, information was gathered concerning relevant patents upon which application 
of this International Standard might depend. Relevant patents were identified as belonging to International Business Machines 
Corporation (IBM) and UNISYS. However, ISO cannot give autiioritative or comprehensive information about evidence, validity or 
scope of patent or like rights. 

The patent-holders have stated that licences will be granted in appropriate terms to enable application of this International Standard, 
provided that those who seek licences agree to reciprocate. 

Further information is available from 

Director of Commercial Relations 
International Business Machines Corporation 
2000 Purchase Street 
PURCHASE, N.Y.I 0577 
U.S.A. 

Director, Industry Relations 

UNISYS ^ ■ ^ 

PO Box 500 

Blue Bell, PA 19424 

U.S.A. 
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Annexe 

(informative) 

Examples for the modes of operation 



C.l General 

This annex gives examples for the encipherment and decipherment of a message using the modes of operation specified in this 
International Standard. The examples use the following parameters: 

a) The block cipher used is the Data Encryption Algorithm (DEA) (see Annex D). The value ofn is 64. 

b) The cryptographic key is 0123456789ABCDEF. 

c) The starting variable is 1234567890ABCDEF. 

d) The plaintext is the 7-bit ASCII code for Tslow is the time for all ' (in hexadecimal notation 4E6F772069732074 
68652074696D6520 666F7220616C6C20). For CFB mode the plaintext is the 7-bit ASCII code for TSlow* (in hexadecimal 
notation 4E6F77). 



ClECBMode 

Examples for the ECB mode of encipherment and decipherment are given in tables C.l and C.2, respectively. 

Table C.l - ECB mode, encipherment 



i 


plaintext P; 


block cipher input block 


block cipher output block 


ciphertext C; 


1 


4E6F772069732074 


4E6F772069732074 


3FA40E8A984D4815 


3FA40E8A984D4815 


2 


68652074696D6520 


68652074696D6520 


6A271787AB8883F9 


6A271787AB8883F9 


3 


666F7220616C6C20 


666F7220616C6C20 


893D51EC4B563B53 


893D51EC4B563B53 


Table C.2 - ECB mode, decipherment 


' 


ciphertext Ci 


block cipher input block 


block cipher output block 


plaintext Pj 


1 


3FA40E8A984D4815 


3FA40E8A984D4815 


4E6F772069732074 


4E6F772069732074 


2 


6A271787AB8883F9 


6A271787AB8883F9 


68652074696D6520 


68652074696D6520 


3 


893D51EC4B563B53 


893D51EC4B563B53 


666F7220616C6C20 


666F7220616C6C20 



C.3 CBC Mode 

Examples for the CBC mode of encipherment and decipherment are given in tables C.3 and C.4, respectively. 

Table C.3 - CBC mode, encipherment 



' 


plaintext P-, 


block cipher input btock 


block cipher output block 


ciphertext O, 


1 


4E6F772069732074 


5C5B2158f9D8ED9B 


E5C7CDDE872BF27C 


E5C7CDDE872BF27C 


2 


68652074696D6520 


8DA2EDAAEE46975C 


43E934008C389C0F 


43E934008C389C0F 


3 


666F7220616C6C20 


25864620ED54F02F 


683788499A7C05F6 


683788499A7C05F6 
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Table C.4 - CBC mode, decipherment 



' 


ciphertext O, 


block cipher input block 


block cipher output block 


plaintext Pi 


1 


E5C7CDDE872BF27C 


E5C7CDDE872BF27C 


5C5B2158f9D8ED9B 


4E6F772069732074 


2 


43E934008C389C0F 


43E934008C389C0F 


8DA2EDAAEE46975C 


68652074696D6520 


3 


683788499A7C05F6 


683788499A7C05F6 


25864620ED54F02F 


666F7220616C6C20 



C.4 CFB Mode 



Examples for the CFB mode of encipherment and decipherment are given in tables C.5 and C.6, respectively. For this example the 
parametersy" ^ k ^ 8 and r = n have been chosen. The k bits feedback are shown in italics. 

Table C.5 - CFB mode, encipherment 



i 


plaintext Pj 


block cipher input block 


block cipher output block 


ciphertext C-, 


1 


4E 


1234567890ABCDEF 


BD661569AE874E25 


F3 


2 


6F 


34567890ABCDEFFi 


7039546F9A0F6330 


IF 


3 


77 


567890ABCDEFF37F 


AD1B78B0BB371BE7 


DA 


Table C.6 - CFB mode, decipherment 


' 


ciphertext O, 


block cipher input block 


block cipher output block 


plaintext P; 


1 


F3 


1234567890ABCDEF 


BD661569AE874E25 


4E 


2 


IF 


34567890ABCDEFF5 


7039546F9A0F6330 


6F 


3 


DA 


567890ABCDEFF3/F 


AD1B78B0BB371BE7 


77 



C.5 CFB Mode 

Examples for the OFB mode of encipherment and decipherment are given in tables C.7 and C.8, respectively. For this example the 
parameter^' = 64 has been chosen. 



Table C.7 - OFB mode, encipherment 



' 


plaintext P; 


block cipher input block 


block cipher output block 


ciphertext Ci 


1 


4E6F772069732074 


1234567890ABCDEF 


BD661569AE874E25 


F3096249C7F46E51 


2 


68652074696D6520 


BD661569AE874E25 


5D976A504786581F 


35F24A242EEB3D3F 


3 


666F7220616C6C20 


5D976A504786581F 


5B0229C3443694E3 


3D6D5BE3255AF8C3 






Table C.8 - OFB mode, dc 


!cipherment 




' 


ciphertext Cj 


block cipher input block 


block cipher output block 


plaintext Pi 


1 


F3096249C7F46E51 


1 234567890 ABCDEF 


BD661569AE874E25 


4E6F772069732074 


2 


35F24A242EEB3D3F 


BD661569AE874E25 


5D976A504786581F 


68652074696D6520 


3 


3D6D5BE3255AF8C3 


5D976A504786581F 


5B0229C3443694E3 


666F7220616C6C20 
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